__/ [ BearItAll ] on Thursday 09 March 2006 09:08 \__
> Roy Schestowitz wrote:
>
>> http://news.zdnet.com/2100-1009_22-6047762.html
>>
>> This is not the first time this happens.
>
> Isn't it amazing, two days after the release of the update that caused a
> vulnerability, an attacker exploit was out. So, the code is released to the
> servers where the millions of computers collect the updates from, then it
> would take some amount of time for people to descover that they was any
> problem at all, then more time to pass the word onto the Internet. We could
> say that the hacker has already lost one day before he/she is aware of the
> possibility of a vulnerability.
>
> I find it hard to believe that people are sitting around studying every
> update (dosen't MS get one every day?), the study by these hackers would
> have to be so well done that in just two days they could discover the
> problem, write the code and distribute it to make use of the exploit.
>
> Doesn't that sound to you people to be much too professional for a typical
> hacker?
>
> I'm a programmer, I do less of it now than I once did, but spent many years
> where my primary job was programming. But I am certain that I wouldn't have
> the time to examine every MS update, every day and then come up with the
> software for the hack. It has to be a team and it must be so disciplined
> that it can't be kids (no offence to kids, but patience isn't really a
> trait you have at a young age).
Are you sure? Microsoft recently bragged about employing a 9-year-old girl. I
believe she had Microsoft certification, but I am not sure as it was months
ago.
> Call me Columbo if you like, but I can't help feeling that taking of
> advantage of a bug at this pace would require prior knowledge of the bug.
On this scenario as a whole: that's just what happens when you release
software with critical flaws. You need to update and test for various
versions at haste, so the outcome is broken software. Had Microsoft taken
security seriously (as if they could handle the 'beast'), all of this would
not have happened.
Here you have plenty of confused users with software that breaks after an
seemingly-innocent reboot... seen the same thing happen with network
components, which are far more critical. Users were no longer able to
connect to the world because they had been urged to patch their O/S. Then,
the recommended solution is to wipe. At least /that/ is a step which many
users are already familiar with, so it requires no involvement by
professionals. *smile*
Best wishes,
Roy
--
Roy S. Schestowitz | Software patents destroy innovation
http://Schestowitz.com | SuSE Linux | PGP-Key: 0x74572E8E
9:10am up 1 day 1:47, 8 users, load average: 0.01, 0.12, 0.23
http://iuron.com - next generation of search paradigms